CVE-2023-43472
published 2023-12-05CVE-2023-43472: An issue in MLFlow versions 2.8.1 and before allows a remote attacker to obtain sensitive information via a crafted request to REST API.
PriorityP267high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
36.58%
98.3th percentile
An issue in MLFlow versions 2.8.1 and before allows a remote attacker to obtain sensitive information via a crafted request to REST API.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lfprojects | mlflow | <= 2.8.1 | — |
| lfprojects | mlflow | >= 0 < 2.9.0 | 2.9.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Shodan query 'http.title:"mlflow"' can be used to identify exposed MLflow instances potentially vulnerable to CVE-2023-43472. ↗
- →FOFA query 'app="MLflow"' can be used to identify exposed MLflow instances potentially vulnerable to CVE-2023-43472. ↗
- ·The vulnerability affects MLflow versions 2.8.1 and before; the unauthenticated REST API endpoint is accessible without credentials, indicating no authentication is enforced on this endpoint in affected versions. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Information exposure in MLflow
osv·2023-12-05
CVE-2023-43472 [HIGH] Information exposure in MLflow
Information exposure in MLflow
An issue in MLFlow versions 2.8.1 and before allows a remote attacker to obtain sensitive information via a crafted request to REST API.
GHSA
Information exposure in MLflow
ghsa·2023-12-05
CVE-2023-43472 [HIGH] CWE-200 Information exposure in MLflow
Information exposure in MLflow
An issue in MLFlow versions 2.8.1 and before allows a remote attacker to obtain sensitive information via a crafted request to REST API.
No detection rules found.
Nuclei
MLFlow < 2.8.1 - Sensitive Information Disclosure
nuclei·CVSS 7.5
CVE-2023-43472 [HIGH] MLFlow < 2.8.1 - Sensitive Information Disclosure
MLFlow < 2.8.1 - Sensitive Information Disclosure
An issue in MLFlow versions 2.8.1 and before allows a remote attacker to obtain sensitive information via a crafted request to REST API.
Template:
id: CVE-2023-43472
info:
name: MLFlow < 2.8.1 - Sensitive Information Disclosure
author: ritikchaddha
severity: high
description: |
An issue in MLFlow versions 2.8.1 and before allows a remote attacker to obtain sensitive information via a crafted request to REST API.
impact: |
An attacker can access sensitive information stored in MLFlow.
remediation: |
Upgrade MLFlow to a version that has patched CVE-2023-43472.
reference:
- https://www.contrastsecurity.com/security-influencers/discovering-mlflow-framework-zero-day-vulnerability-machine-language-model-security-contrast-security
- https://nv
No writeups or analysis indexed.
https://www.contrastsecurity.com/security-influencers/discovering-mlflow-framework-zero-day-vulnerability-machine-language-model-security-contrast-securityhttps://www.contrastsecurity.com/security-influencers/discovering-mlflow-framework-zero-day-vulnerability-machine-language-model-security-contrast-security
2023-12-05
Published